Important! CounterSpy Definitions 416 False Positives

[eburger68]

Hi All:

Definitions 416 for CounterSpy Consumer 1.5 & 2.0 Beta (defs 418 for CSC 1.0) were released Wednesday evening. As a result of an unusual confluence of circumstances, two false positives were incorporated into defs 416. Both false positives are on Registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\CODE STORE DATABASE\DISTRIBUTION UNITS

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE

Both false positives will be reported as "SearchSquire" (ThreatID 40276).

You will likely see more than just the above two Registry keys detected, though, because these two Registry keys store data for installed ActiveX controls in Windows. In addition to the above two Registry keys, you will likely also see detections for a number of sub-keys and values as well as files in the \Downloaded Program Files folder. All of these detections are being caused by the two erroneous Registry traces listed above.

Sunbelt became aware of the problem late Wednesday night/early Thursday morning. We will be pushing out corrected definitions later this morning. At present Sunbelt is working to turn off any further distribution of defs 416 from Sunbelt's update servers.

Until those corrected defs are released, we advise you not to quarantine or remove any "SearchSquire" detections from system scans using defs 416. If you have already quarantined SearchSquire traces from a scan with defs 416, you should unquarantine those traces.

We will announce the release of the corrected set of defs.

Best,

Eric L. Howes
Sunbelt Software

[eburger68]

Hi All:

Sunbelt has now released Definitions version 417 for CounterSpy 1.5 and 2.0 beta (420 for CounterSpy 1.0). These definitions correct the SearchSquire false positives announced earlier.

Best,

Eric L. Howes

[the Tester]

Thanks for the heads up Eric.

[JerryM]

I did not correct it on mine. I'll run another scan and see if any different.

Edit, No, I have CS2 on two machines with both showing v 417, and the scans still show SearchSquire.
Jerry

[Bubba]

Quote:

Originally Posted by JerryM

I did not correct it on mine. I'll run another scan and see if any different.

Edit, No, I have CS2 on two machines with both showing v 417, and the scans still show SearchSquire.
Jerry

Same here Jerry and until it's fully corrected We can just tell CounterSpy to ignore them, or always ignore.

Bubba

[JerryM]

Quote:

Originally Posted by Bubba

Same here Jerry and until it's fully corrected We can just tell CounterSpy to ignore them, or always ignore.

Bubba

Yes, and they are aware if on the support forum. I will just tell to ignore.
Thanks,
Jerry

[eburger68]

Hi All:

Those of you using CounterSpy 2.0 should be aware that there are some glitches with the incremental update system -- glitches that the devs are working on. One of those glitches involves incremental updates being applied in such a way that false positives corrected in our master database aren't corrected in the defs on the user's hard drive. (The other glitch involves incremental updates that simply fail to be merged properly.)

If you visit the Sunbelt beta forums and look in the "Definitions & Updates" forum you'll find a good, zipped copy of defs 417 that can be downloaded and manually installed. This known good copy of 417 will correct the SearchSquire false positives.

Best,

Eric L. Howes
Sunbelt Software

[Bubba]

Quote:

Originally Posted by eburger68

This known good copy of 417 will correct the SearchSquire false positives.

I can confirm the manual install does indeed fix the 417 FP's and have posted as such on the CounterSpy Forums. Thanks as always for the promptness in rectifying.

Bubba

[JerryM]

Quote:

Originally Posted by Bubba

I can confirm the manual install does indeed fix the 417 FP's and have posted as such on the CounterSpy Forums. Thanks as always for the promptness in rectifying.

Bubba

Me too!
All is well now with the fix.
Thanks,
Jerry